Re: mount.cifs multiuser w/o krb5? How?

From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: "Milan Knížek" <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: mount.cifs multiuser w/o krb5? How?
Date: Mon, 9 Jul 2012 06:26:08 -0400	[thread overview]
Message-ID: <20120709062608.3a67445f@tlielax.poochiereds.net> (raw)
In-Reply-To: <1341612593.26748.9.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>

On Sat, 07 Jul 2012 00:09:53 +0200
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

> Jeff Layton píše v Pá 06. 07. 2012 v 14:15 -0400:
> 
> Hello Jeff,
> 
> > On Wed, 04 Jul 2012 20:52:17 +0200
> > Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > To move on for multiuser: adding the credentials to the keyring:
> > > [user1@client /]$ cifscreds add server
> > > and typing in the password.
> > > 
> > > (Similarly for user2.)
> > > 
> > > When I remount the same share with "multiuser" option with the
> > > credentials of user1, the share is accessible only by the root user, the
> > > users user1 and user2 cannot list the mount point (cannot access /mnt:
> > > Permission denied)
> > > 
> > 
> > Can you clarify exactly what you did above? How, exactly did you
> > remount the share?
> 
> I actually unmounted and mounted again with the extra "multiuser"
> option.
> 

Ok, good...

> > > Adding cifscreds has exit code 0. Running "cifscreds clearall" results
> > > in "You have no stashed cifs credentials. If you want to add them use:
> > > cifscreds add" and exit code 1. That's weird.
> > > 
> > 
> > After you do the "cifscreds add", if you then do a "keyctl show" does
> > it show the cifs keys attached to your session keyring?
> > 
> > One thing that may be biting you: cifscreds attaches the keys to the
> > session keyring. If you do the "add" in one session and then try to
> > access from another, it won't work since the keys just aren't present.
> > The fact that "clearall" doesn't find any creds leads me to suspect
> > that's what's going on here.
> > 
> > The scope of a "session" in keys parlance is unfortunately somewhat
> > poorly defined, but you basically need to do the "cifscreds add" from
> > each login. A graphical login on the console would be a single session
> > however.
> 
> Hm, I will need to read more on the keyrings in kernel...
> 
> Anyway, here are some details:
> [root@client /]# su - zmrzlinka
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
>   14048542 --alswrv   1001    -1  keyring: _uid_ses.1001
>  320075663 --alswrv   1001    -1   \_ keyring: _uid.1001
> [zmrzlinka@client ~]$ cifscreds add -u zmrzlinka toillet
> Password: [blabla]
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
>   14048542 --alswrv   1001    -1  keyring: _uid_ses.1001
>  320075663 --alswrv   1001    -1   \_ keyring: _uid.1001
> 
> It does not seem to change anything. Is there a way how to add the key
> to the keyring using "keyctl" instead of "cifscreds" (for testing
> purposes)?
> 
> Regards,
> Milan

Ok, that at least gives us something to go on. Running this under
strace might give us some sort of clue as to the problem as well.

cifscreds add is more or less equivalent to a command like this:

    $ keyctl add logon cifs:a:ip_address 'username:password' @s

If the server is multi-homed, then cifscreds add will add a key for each
address in the list returned when the hostname is resolved.

-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>